module

Pimcore Gather Credentials via SQL Injection

Disclosed
2018-08-13
Created
2019-03-19

Description

This module extracts the usernames and hashed passwords of all users of
the Pimcore web service by exploiting a SQL injection vulnerability in
Pimcore's REST API.

Pimcore begins to create password hashes by concatenating a user's
username, the name of the application, and the user's password in the
format USERNAME:pimcore:PASSWORD.

The resulting string is then used to generate an MD5 hash, and then that
MD5 hash is used to create the final hash, which is generated using
PHP's built-in password_hash function.

Authors

Thongchai Silpavarangkura
N. Rai-Ngoen
Shelby Pace

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


msf > use auxiliary/gather/pimcore_creds_sqli
msf auxiliary(pimcore_creds_sqli) > show actions
...actions...
msf auxiliary(pimcore_creds_sqli) > set ACTION < action-name >
msf auxiliary(pimcore_creds_sqli) > show options
...show and set options...
msf auxiliary(pimcore_creds_sqli) > run

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.